This article is focused on providing developer guidance on Clickjack/UI Redress attack prevention. For more information on the risk of Clickjacking, please visit [https://www.owasp.org/index.php/Clickjacking this page].

+

This cheat sheet is focused on providing developer guidance on Clickjack/UI Redress attack prevention. For more information on the risk of Clickjacking, please visit [https://www.owasp.org/index.php/Clickjacking this page].

The most popular way to defend against clickjacking is to include some sort of "frame-breaking" functionality which prevents other web pages from framing the site you wish to defend. This cheat sheet will discuss two methods of implementing frame-braking; via X-FRAME-OPTIONS headers (if the browser or browsers in question support it) and via javascript "frame-breaking" code.

The most popular way to defend against clickjacking is to include some sort of "frame-breaking" functionality which prevents other web pages from framing the site you wish to defend. This cheat sheet will discuss two methods of implementing frame-braking; via X-FRAME-OPTIONS headers (if the browser or browsers in question support it) and via javascript "frame-breaking" code.

DRAFT CHEAT SHEET - WORK IN PROGRESS

Clickjacking Defense Introduction

This cheat sheet is focused on providing developer guidance on Clickjack/UI Redress attack prevention. For more information on the risk of Clickjacking, please visit this page.

The most popular way to defend against clickjacking is to include some sort of "frame-breaking" functionality which prevents other web pages from framing the site you wish to defend. This cheat sheet will discuss two methods of implementing frame-braking; via X-FRAME-OPTIONS headers (if the browser or browsers in question support it) and via javascript "frame-breaking" code.

Defending with X-FRAME-OPTIONS response headers

The X-FRAME-OPTIONS header is used to mark responses that should not be framed.

Specifics

There are three options with X-FRAME-OPTIONS.

The first is DENY, which prevents everyone from framing the content.

The second option is SAMEORIGIN, which only allows the current site to frame the content.

The third, is the ALLOW-FROM 'sitename' header, which permits the specified 'sitename' to frame this page. (e.g., ALLOW-FROM http://www.foo.com) The ALLOW-FROM option is a relatively recent addition (circa 2012) and may not be supported by all browsers yet.

Implementation

To implement this protection, you need to add the header to any page that you want to protect from being clickjacked. One way to do this is to add the header manually to every page. A possibly simpler way is to implement a filter that automatically adds the header to every page.

Defending legacy browsers

The following methodology will prevent a webpage from being framed even in legacy browsers.